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Abstract 
The purpose of this document is to provide an overview of the third 
version of the Internet-standard Management Framework, termed the 
SNMP version 3 Framework (SNMPv3). This Framework is derived from 
and builds upon both the original Internet-standard Management 


Framework (SNMPvl) and the second Internet-standard Management 
Framework (SNMPv2). 


The architecture is designed to be modular to allow the evolution of 
the Framework over time. 
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1 Introduction 


This document is an introduction to the third version of the 
Internet-standard Management Framework, termed the SNMP version 3 
Management Framework (SNMPv3) and has multiple purposes. 


First, it describes the relationship between the SNMP version 3 
(SNMPv3) specifications and the specifications of the SNMP version 1 
(SNMPv1) Management Framework, the SNMP version 2 (SNMPv2) Management 
Framework, and the Community-based Administrative Framework for 
SNMPv2. 


Second, it provides a roadmap to the multiple documents which contain 
the relevant specifications. 


Third, this document provides a brief easy-to-read summary of the 
contents of each of the relevant specification documents. 


This document is intentionally tutorial in nature and, as such, may 
occasionally be "guilty" of oversimplification. In the event of a 
conflict or contradiction between this document and the more detailed 
documents for which this document is a roadmap, the specifications in 
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the more detailed documents shall prevail. 


Further, the detailed documents attempt to maintain separation 
between the various component modules in order to specify well- 
defined interfaces between them. This roadmap document, however, 
takes a different approach and attempts to provide an integrated view 
of the various component modules in the interest of readability. 


2 The Internet Standard Management Framework 


The third version of the Internet Standard Management Framework (the 
SNMPv3 Framework) is derived from and builds upon both the original 
Internet-standard Management Framework (SNMPv1l) and the second 
Internet-standard Management Framework (SNMPv2). 


All versions (SNMPvl, SNMPv2, and SNMPv3) of the Internet Standard 
Management Framework share the same basic structure and components. 
Furthermore, all versions of the specifications of the Internet 
Standard Management Framework follow the same architecture. 


2.1 Basic Structure and Components 


An enterprise deploying the Internet Standard Management Framework 
contains four basic components: 


* several (typically many) managed nodes, each with an SNMP entity 
which provides remote access to management instrumentation 
(traditionally called an agent); 


* at least one SNMP entity with management applications (typically 
called a manager), 


* a management protocol used to convey management information 
between the SNMP entities, and 


* management information. 


The management protocol is used to convey management information 
between SNMP entities such as managers and agents. 


This basic structure is common to all versions of the Internet 
Standard Management Framework; i.e., SNMPvl, SNMPv2, and SNMPv3. 


2.2 Architecture of the Internet Standard Management Framework 
The specifications of the Internet Standard Management Framework are 


based on a modular architecture. This framework is more than just a 
protocol for moving data. It consists of: 
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* a data definition language, 


* definitions of management information (the Management 
Information Base, or MIB), 


* a protocol definition, and 
* security and administration. 


Over time, as the Framework has evolved from SNMPvl, through SNMPv2, 
to SNMPv3, the definitions of each of these architectural components 
have become richer and more clearly defined, but the fundamental 
architecture has remained consistent. 


One prime motivator for this modularity was to enable the ongoing 
evolution of the Framework as is documented in RFC 1052 [14]. When 
originally envisioned, this capability was to be used to ease the 
transition from SNMP-based management of internets to management 


based on OSI protocols. To this end, the framework was architected 
with a protocol-independent data definition language and Management 
Information Base along with a MIB-independent protocol. This 


separation was designed to allow the SNMP-based protocol to be 
replaced without requiring the management information to be redefined 
or reinstrumented. History has shown that the selection of this 
architecture was the right decision for the wrong reason -- it turned 
out that this architecture has eased the transition from SNMPv1 to 
SNMPv2 and from SNMPv2 to SNMPv3 rather than easing the transition 
away from management based on the Simple Network Management Protocol. 


The SNMPv3 Framework builds and extends these architectural 
principles by: 


* building on these four basic architectural components, in some 
cases incorporating them from the SNMPv2 Framework by reference, 
and 


* by using these same layering principles in the definition of new 
capabilities in the security and administration portion of the 
architecture. 


Those who are familiar with the architecture of the SNMPvl Management 
Framework and the SNMPv2 Management Framework will find many familiar 
concepts in the architecture of the SNMPv3 Management Framework. 
However, in some cases, the terminology may be somewhat different. 
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3 The SNMPv1 Management Framework 


The original Internet-standard Network Management Framework (SNMPv1) 
is defined in the following documents: 


* STD 16, RFC 1155 [1] which defines the Structure of Management 
Information (SMI), the mechanisms used for describing and naming 
objects for the purpose of management. 


* STD 16, RFC 1212 [2] which defines a more concise description 
mechanism for describing and naming management information objects, 
but which is wholly consistent with the SMI. 


* STD 15, RFC 1157 [3] which defines the Simple Network Management 
Protocol (SNMP), the protocol used for network access to managed 
objects and event notification. Note this document also defines an 
initial set of event notifications. 


Additionally, two documents are generally considered to be companions 
to these three: 


* STD 17, RFC 1213 [13] which contains definitions for the base 
set of management information 


* RFC 1215 [25] defines a concise description mechanism for 
defining event notifications, which are called traps in the SNMPv1 
protocol. It also specifies the generic traps from RFC 1157 in the 
concise notation. 


These documents describe the four parts of the first version of the 
SNMP Framework. 


3.1 The SNMPv1 Data Definition Language 


The first two and the last document describe the SNMPv1 data 
definition language. Note that due to the initial requirement that 
the SMI be protocol-independent, the first two SMI documents do not 
provide a means for defining event notifications (traps). Instead, 
the SNMP protocol document defines a few standardized event 
notifications (generic traps) and provides a means for additional 
event notifications to be defined. The last document specifies a 
straight-forward approach towards defining event notifications used 
with the SNMPv1 protocol. At the time that it was written, use of 
traps in the Internet-standard network management framework was 
controversial. As such, RFC 1215 was put forward with the status of 
"Informational", which was never updated because it was believed that 
the second version of the SNMP Framework would replace the first 
version. Note that the SNMPvl1 data definition language is sometimes 
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referred to as SMIvl. 
3.2 Management Information 


The data definition language described in the first two documents was 
first used to define the now-historic MIB-I as specified in RFC 1066 
[12], and was subsequently used to define MIB-II as specified in RFC 
1213-13]: 


Later, after the publication of MIB-II, a different approach to 
management information definition was taken from the earlier approach 
of having a single committee staffed by generalists work on a single 
document to define the Internet-standard MIB. Rather, many mini-MIB 
documents were produced in a parallel and distributed fashion by 
groups chartered to produce a specification for a focused portion of 
the Internet-standard MIB and staffed by personnel with expertise in 
those particular areas ranging from various aspects of network 
management, to system management, and application management. 


3.3 Protocol Operations 


The third document, STD 15, describes the SNMPv1 protocol operations 
performed by protocol data units (PDUs) on lists of variable bindings 
and describes the format of SNMPv1 messages. The operators defined by 
SNMPv1 are: get, get-next, get-response, set-request, and trap. 
Typical layering of SNMP on a connectionless transport service is 
also defined. 


3.4 SNMPv1 Security and Administration 


STD 15 also describes an approach to security and administration. 
Many of these concepts are carried forward and some, particularly 
security, are extended by the SNMPv3 Framework. 


The SNMPv1 Framework describes the encapsulation of SNMPv1 PDUs in 
SNMP messages between SNMP entities and distinguishes between 
application entities and protocol entities. In SNMPv3, these are 
renamed applications and engines, respectively. 


The SNMPv1 Framework also introduces the concept of an authentication 
service supporting one or more authentication schemes. In addition 
to authentication, SNMPv3 defines the additional security capability 
referred to as privacy. (Note: some literature from the security 
community would describe SNMPv3 security capabilities as providing 
data integrity, source authenticity, and confidentiality.) The 
modular nature of the SNMPv3 Framework permits both changes and 
additions to the security capabilities. 
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Finally, the SNMPvl Framework introduces access control based on a 
concept called an SNMP MIB view. The SNMPv3 Framework specifies a 
fundamentally similar concept called view-based access control. With 
this capability, SNMPv3 provides the means for controlling access to 
information on managed devices. 


However, while the SNMPvl Framework anticipated the definition of 
multiple authentication schemes, it did not define any such schemes 
other than a trivial authentication scheme based on community 
strings. This was a known fundamental weakness in the SNMPv1 
Framework but it was thought at that time that the definition of 
commercial grade security might be contentious in its design and 
difficult to get approved because "Security" means many different 
things to different people. To that end, and because some users do 
not require strong authentication, the SNMPvl architected an 
authentication service as a separate block to be defined "later" and 
the SNMPv3 Framework provides an architecture for use within that 
block as well as a definition for its subsystems. 


4 The SNMPv2 Management Framework 

The SNMPv2 Management Framework is fully described in [4-9] and 
coexistence and transition issues relating to SNMPvl and SNMPv2 are 
discussed in [10]. 
SNMPv2 provides several advantages over SNMPvl, including: 

* expanded data types (e.g., 64 bit counter) 

* improved efficiency and performance (get-—bulk operator) 

* confirmed event notification (inform operator) 

* richer error handling (errors and exceptions) 

* improved sets, especially row creation and deletion 

* fine tuning of the data definition language 
However, the SNMPv2 Framework, as described in these documents, is 
incomplete in that it does not meet the original design goals of the 
SNMPv2 project. The unmet goals included provision of security and 


administration delivering so-called "commercial grade" security with 


* authentication: origin identification, message integrity, 
and some aspects of replay protection; 


* privacy: confidentiality; 
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* authorization and access control; and 


* suitable remote configuration and administration capabilities 
for these features. 


The SNMPv3 Management Framework, as described in this document and 
the companion documents, addresses these significant deficiencies. 


5 The SNMPv3 Working Group 


This document, and its companion documents, were produced by the 
SNMPv3 Working Group of the Internet Engineering Task Force (IETF). 
The SNMPv3 Working Group was chartered to prepare recommendations for 
the next generation of SNMP. The goal of the Working Group was to 
produce the necessary set of documents that provide a single standard 
for the next generation of core SNMP functions. The single, most 
critical need in the next generation is a definition of security and 
administration that makes SNMP-based management transactions secure 
in a way which is useful for users who wish to use SNMPv3 to manage 
networks, the systems that make up those networks, and the 
applications which reside on those systems, including manager-to- 
agent, agent-to-manager, and manager-to-manager transactions. 


In the several years prior to the chartering of the Working Group, 
there were a number of activities aimed at incorporating security and 
other improvements to SNMP. These efforts included: 

* "SNMP Security" circa 1991-1992 [RFC 1351 - RFC 1353], 

x MSMP™. circa: 1992-1993, 

* "The Party-based SNMPv2" circa 1993-1995 [RFC 1441 - RFC 1452]. 
Each of these efforts incorporated commercial grade, industrial 
strength security including authentication, privacy, authorization, 


view-based access control, and administration, including remote 
configuration. 


These efforts fed the development of the SNMPv2 Management Framework 
as described in RFCs 1902 - 1908. However, the Framework described 
in those RFCs had no standards-based security and administrative 
framework of its own; rather, it was associated with multiple 
security and administrative frameworks, including: 


* "The Community-based SNMPv2" (SNMPv2c) [RFC 1901], 


x "SNMPv2u" [RFCs 1909 - 1910] and 
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* "SNMPV2*". 


SNMPv2c had the endorsement of the IETF but no security and 
administration whereas both SNMPv2u and SNMPv2* had security but 
lacked the endorsement of the IETF. 


The SNMPv3 Working Group was chartered to produce a single set of 
specifications for the next generation of SNMP, based upon a 
convergence of the concepts and technical elements of SNMPv2u and 
SNMPv2*, as was suggested by an advisory team which was formed to 
provide a single recommended approach for SNMP evolution. 


In so doing, the Working Group charter defined the following 
objectives: 


* accommodate the wide range of operational environments with 
differing management demands; 


* facilitate the need to transition from previous, multiple 
protocols to SNMPv3; 


* facilitate the ease of setup and maintenance activities. 


In the initial work of the SNMPv3 Working Group, the group focused on 
security and administration, including 


* authentication and privacy, 
* authorization and view-based access control, and 
* standards-based remote configuration of the above. 
The SNMPv3 Working Group did not "reinvent the wheel," but reused the 


SNMPv2 Draft Standard documents, i.e., RFCs 1902 through 1908 for 
those portions of the design that were outside the focused scope. 


Rather, the primary contributors to the SNMPv3 Working Group, and the 
Working Group in general, devoted their considerable efforts to 


addressing the missing link -- security and administration -- and in 
the process made invaluable contributions to the state-of-the-art of 
management. 


They produced a design based on a modular architecture with 
evolutionary capabilities with emphasis on layering. As a result, 
SNMPv3 can be thought of as SNMPv2 with additional security and 
administration capabilities. 
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In doing so, the Working Group achieved the goal of producing a 
single specification which has not only the endorsement of the IETF 
but also has security and administration. 


6 SNMPv3 Framework Module Specifications 


The specification of the SNMPv3 Management Framework is partitioned 
in a modular fashion among several documents. It is the intention of 
the SNMPv3 Working Group that, with proper care, any or all of the 
individual documents can be revised, upgraded, or replaced as 
requirements change, new understandings are obtained, and new 
technologies become available. 


Whenever feasible, the initial document set which defines the SNMPv3 
Management Framework leverages prior investments defining and 
implementing the SNMPv2 Management Framework by incorporating by 
reference each of the specifications of the SNMPv2 Management 
Framework. 


The SNMPv3 Framework augments those specifications with 
specifications for security and administration for SNMPv3. 


The documents which specify the SNMPv3 Management Framework follow 
the same architecture as those of the prior versions and can be 
organized for expository purposes into four main categories as 
follows: 


* the data definition language, 

* Management Information Base (MIB) modules, 

* protocol operations, and 

* security and administration. 
The first three sets of documents are incorporated from SNMPv2. The 
fourth set of documents are new to SNMPv3, but, as described 
previously, build on significant prior related works. 

6.1 Data Definition Language 

The specifications of the data definition language includes STD 58, 
RFC 2578, "Structure of Management Information Version 2 (SMIv2)" 
[26], and related specifications. These documents are updates of 
RFCs 1902 - 1904 [4-6] which have evolved independently from the 


other parts of the framework and were republished as STD 58, RFCs 
2578 - 2580 [26-28] when promoted from Draft Standard. 
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The Structure of Management Information (SMIv2) defines fundamental 
data types, an object model, and the rules for writing and revising 
MIB modules. Related specifications include STD 58, RFCs 2579, 2580. 
The updated data definition language is sometimes referred to as 
SMIv2. 


STD 58, RFC 2579, "Textual Conventions for SMIv2" [27], defines an 
initial set of shorthand abbreviations which are available for use 
within all MIB modules for the convenience of human readers and 
writers. 


STD 58, RFC 2580, "Conformance Statements for SMIv2" [28], defines 
the format for compliance statements which are used for describing 
requirements for agent implementations and capability statements 
which can be used to document the characteristics of particular 
implementations. 


6.2 MIB Modules 


MIB modules usually contain object definitions, may contain 
definitions of event notifications, and sometimes include compliance 
statements specified in terms of appropriate object and event 
notification groups. As such, MIB modules define the management 
information maintained by the instrumentation in managed nodes, made 
remotely accessible by management agents, conveyed by the management 
protocol, and manipulated by management applications. 


MIB modules are defined according the rules defined in the documents 
which specify the data definition language, principally the SMI as 
supplemented by the related specifications. 


There is a large and growing number of standards-based MIB modules, 
as defined in the periodically updated list of standard protocols 


[STD 1, RFC 2400]. As of this writing, there are nearly 100 
standards-based MIB modules with a total number of defined objects 
approaching 10,000. In addition, there is an even larger and growing 


number of enterprise-specific MIB modules defined unilaterally by 
various vendors, research groups, consortia, and the like resulting 
in an unknown and virtually uncountable number of defined objects. 


In general, management information defined in any MIB module, 
regardless of the version of the data definition language used, can 
be used with any version of the protocol. For example, MIB modules 
defined in terms of the SNMPv1 SMI (SMIv1) are compatible with the 
SNMPv3 Management Framework and can be conveyed by the protocols 
specified therein. Furthermore, MIB modules defined in terms of the 
SNMPv2 SMI (SMIv2) are compatible with SNMPvl protocol operations and 
can be conveyed by it. However, there is one noteworthy exception: 
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the Counter64 datatype which can be defined in a MIB module defined 
in SMIv2 format but which cannot be conveyed by an SNMPv1 protocol 
engine. 


6.3 Protocol Operations and Transport Mappings 


The specifications for the protocol operations and transport mappings 
of the SNMPv3 Framework are incorporated by reference to the two 
SNMPv2 Framework documents. 


The specification for protocol operations is found in RFC 1905, 
"Protocol Operations for Version 2 of the Simple Network Management 
Protocol (SNMPv2)" [7]. The SNMPv3 Framework is designed to allow 
various portions of the architecture to evolve independently. For 
example, it might be possible for a new specification of protocol 
operations to be defined within the Framework to allow for additional 
protocol operations. 


The specification of transport mappings is found in RFC 1906, 
"Transport Mappings for Version 2 of the Simple Network Management 
Protocol (SNMPv2)" [8]. 


6.4 SNMPv3 Security and Administration 


The SNMPv3 document series defined by the SNMPv3 Working Group 
consists of seven documents at this time: 


RFC 2570, “Introduction to Version 3 of the Internet-standard 
Network Management Framework", which is this document. 


RFC 2571, "An Architecture for Describing SNMP Management 
Frameworks" [15], describes the overall architecture with special 
emphasis on the architecture for security and administration. 


RFC 2572, "Message Processing and Dispatching for the Simple 
Network Management Protocol (SNMP)" [16], describes the possibly 
multiple message processing models and the dispatcher portion that 
can be a part of an SNMP protocol engine. 


RFC 2573, "SNMP Applications" [17], describes the five types of 
applications that can be associated with an SNMPv3 engine and 
their elements of procedure. 


RFC 2574, "The User-Based Security Model for Version 3 of the 
Simple Network Management Protocol (SNMPv3)" [18], describes the 
threats, mechanisms, protocols, and supporting data used to 
provide SNMP message-level security. 
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RFC 2575, "View-based Access Control Model for the Simple Network 
Management Protocol (SNMP)" [19], describes how view-based access 
control can be applied within command responder and notification 
originator applications. 


The Work in Progress, "Coexistence between Version 1, Version 2, 
and Version 3 of the Internet-standard Network Management 
Framework" [20], describes coexistence between the SNMPv3 
Management Framework, the SNMPv2 Management Framework, and the 
original SNMPvl Management Framework. 


7 Document Summaries 


The following sections provide brief summaries of each document with 
slightly more detail than is provided in the overviews above. 


7.1 Structure of Management Information 


Management information is viewed as a collection of managed objects, 
residing in a virtual information store, termed the Management 


Information Base (MIB). Collections of related objects are defined 
in MIB modules. These modules are written in the SNMP MIB module 

language, which contains elements of OSI’s Abstract Syntax Notation 
One (ASN.1) [11] language. STD 58, RFCs 2578, 2579, 2580, together 


define the MIB module language, specify the base data types for 
objects, specify a core set of short-hand specifications for data 
types called textual conventions, and specify a few administrative 
assignments of object identifier (OID) values. 


The SMI is divided into three parts: module definitions, object 
definitions, and notification definitions. 


(1) Module definitions are used when describing information modules. 
An ASN.1 macro, MODULE-IDENTITY, is used to convey concisely the 
semantics of an information module. 


(2) Object definitions are used when describing managed objects. An 
ASN.1 macro, OBJECT-TYPE, is used to convey concisely the syntax 
and semantics of a managed object. 


(3) Notification definitions are used when describing unsolicited 
transmissions of management information. An ASN.1 macro, 
NOTIFICATION-TYPE, is used to convey concisely the syntax and 
semantics of a notification. 
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7.1.1 Base SMI Specification 


STD 58, RFC 2578 specifies the base data types for the MIB module 
language, which include: Integer32, enumerated integers, Unsigned32, 
Gauge32, Counter32, Counter64, TimeTicks, INTEGER, OCTET STRING, 
OBJECT IDENTIFIER, IpAddress, Opaque, and BITS. It also assigns 
values to several object identifiers. STD 58, RFC 2578 further 
defines the following constructs of the MIB module language: 


* IMPORTS to allow the specification of items that are used 
in a MIB module, but defined in another MIB module. 


* MODULE-IDENTITY to specify for a MIB module a description 
and administrative information such as contact and revision 
history. 


* OBJECT-IDENTITY and OID value assignments to specify a 
an OID value. 


* OBJECT-TYPE to specify the data type, status, and the semantics 
of managed objects. 


* SEQUENCE type assignment to list the columnar objects in 
a table. 


* NOTIFICATION-TYPE construct to specify an event notification. 
7.1.2 Textual Conventions 


When designing a MIB module, it is often useful to specify ina 
short-hand way the semantics for a set of objects with similar 
behavior. This is done by defining a new data type using a base data 
type specified in the SMI. Each new type has a different name, and 
specifies a base type with more restrictive semantics. These newly 
defined types are termed textual conventions, and are used for the 
convenience of humans reading a MIB module and potentially by 
"intelligent" management applications. It is the purpose of STD 58, 
RFC 2579, Textual Conventions for SMIv2 [27], to define the 
construct, TEXTUAL-CONVENTION, of the MIB module language used to 
define such new types and to specify an initial set of textual 
conventions available to all MIB modules. 
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7.1.3 Conformance Statements 


It may be useful to define the acceptable lower-bounds of 
implementation, along with the actual level of implementation 
achieved. It is the purpose of STD 58, RFC 2580, Conformance 
Statements for SMIv2 [28], to define the constructs of the MIB module 
language used for these purposes. There are two kinds of constructs: 


(1) Compliance statements are used when describing requirements for 
agents with respect to object and event notification 
definitions. The MODULE-COMPLIANCE construct is used to convey 
concisely such requirements. 


(2) Capability statements are used when describing capabilities of 
agents with respect to object and event notification 
definitions. The AGENT-CAPABILITIES construct is used to convey 
concisely such capabilities. 


Finally, collections of related objects and collections of related 
event notifications are grouped together to form a unit of 
conformance. The OBJECT-GROUP construct is used to convey concisely 
the objects in and the semantics of an object group. The 
NOTIFICATION-GROUP construct is used to convey concisely the event 
notifications in and the semantics of an event notification group. 


7.2 Protocol Operations 


The management protocol provides for the exchange of messages which 
convey management information between the agents and the management 
stations. The form of these messages is a message "wrapper" which 
encapsulates a Protocol Data Unit (PDU). 


It is the purpose of RFC 1905, Protocol Operations for SNMPv2 [7], to 
define the operations of the protocol with respect to the sending and 
receiving of the PDUs. 


7.3 Transport Mappings 


SNMP Messages may be used over a variety of protocol suites. It is 
the purpose of RFC 1906, Transport Mappings for SNMPv2 [8], to define 
how SNMP messages maps onto an initial set of transport domains. 
Other mappings may be defined in the future. 


Although several mappings are defined, the mapping onto UDP is the 
preferred mapping. As such, to provide for the greatest level of 
interoperability, systems which choose to deploy other mappings 
should also provide for proxy service to the UDP mapping. 
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7.4 Protocol Instrumentation 


It is the purpose of RFC 1907, the Management Information Base for 
SNMPv2 document [9] to define managed objects which describe the 
behavior of an SNMPv2 entity. 


7.5 Architecture / Security and Administration 


It is the purpose of RFC 2571, "An Architecture for Describing SNMP 
Management Frameworks" [15], to define an architecture for specifying 
SNMP Management Frameworks. While addressing general architectural 
issues, it focuses on aspects related to security and administration. 
It defines a number of terms used throughout the SNMPv3 Management 
Framework and, in so doing, clarifies and extends the naming of 


* engines and applications, 


* entities (service providers such as the engines in agents 
and managers), 


* identities (service users), and 


* management information, including support for multiple 
logical contexts. 


The document contains a small MIB module which is implemented by all 
authoritative SNMPv3 protocol engines. 


7.6 Message Processing and Dispatch (MPD) 


RFC 2572, "Message Processing and Dispatching for the Simple Network 
Management Protocol (SNMP)" [16], describes the Message Processing 
and Dispatching for SNMP messages within the SNMP architecture. It 
defines the procedures for dispatching potentially multiple versions 
of SNMP messages to the proper SNMP Message Processing Models, and 
for dispatching PDUs to SNMP applications. This document also 
describes one Message Processing Model - the SNMPv3 Message 
Processing Model. 


It is expected that an SNMPv3 protocol engine MUST support at least 
one Message Processing Model. An SNMPv3 protocol engine MAY support 
more than one, for example in a multi-lingual system which provides 
simultaneous support of SNMPv3 and SNMPv1 and/or SNMPv2c. 
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7.7 SNMP Applications 


It is the purpose of RFC 2573, "SNMP Applications" to describe the 
five types of applications which can be associated with an SNMP 


engine. They are: Command Generators, Command Responders, 
Notification Originators, Notification Receivers, and Proxy 
Forwarders. 


The document also defines MIB modules for specifying targets of 
management operations (including notifications), for notification 
filtering, and for proxy forwarding. 


7.8 User-based Security Model (USM) 


RFC 2574, the "User-based Security Model (USM) for version 3 of the 
Simple Network Management Protocol (SNMPv3)" describes the User-based 
Security Model for SNMPv3. It defines the Elements of Procedure for 
providing SNMP message-level security. 


The document describes the two primary and two secondary threats 
which are defended against by the User-based Security Model. They 
are: modification of information, masquerade, message stream 
modification, and disclosure. 


The USM utilizes MD5 [21] and the Secure Hash Algorithm [22] as keyed 
hashing algorithms [23] for digest computation to provide data 
integrity 


* to directly protect against data modification attacks, 
* to indirectly provide data origin authentication, and 
* to defend against masquerade attacks. 


The USM uses loosely synchronized monotonically increasing time 
indicators to defend against certain message stream modification 
attacks. Automatic clock synchronization mechanisms based on the 
protocol are specified without dependence on third-party time sources 
and concomitant security considerations. 


The USM uses the Data Encryption Standard (DES) [24] in the cipher 
block chaining mode (CBC) if disclosure protection is desired. 
Support for DES in the USM is optional, primarily because export and 
usage restrictions in many countries make it difficult to export and 
use products which include cryptographic technology. 
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The document also includes a MIB suitable for remotely monitoring and 
managing the configuration parameters for the USM, including key 
distribution and key management. 


An entity may provide simultaneous support for multiple security 
models as well as multiple authentication and privacy protocols. All 
of the protocols used by the USM are based on pre-placed keys, i.e., 
private key mechanisms. The SNMPv3 architecture permits the use of 
asymmetric mechanisms and protocols (commonly called "public key 
cryptography") but as of this writing, no such SNMPv3 security models 
utilizing public key cryptography have been published. 


7.9 View-based Access Control (VACM) 


The purpose of RFC 2575, the "View-based Access Control Model (VACM) 
for the Simple Network Management Protocol (SNMP)" is to describe the 
View-based Access Control Model for use in the SNMP architecture. 

The VACM can simultaneously be associated in a single engine 
implementation with multiple Message Processing Models and multiple 
Security Models. 


It is architecturally possible to have multiple, different, Access 
Control Models active and present simultaneously in a single engine 
implementation, but this is expected to be *_very_* rare in practice 
and *_far_* less common than simultaneous support for multiple 
Message Processing Models and/or multiple Security Models. 


7.10 SNMPv3 Coexistence and Transition 


The purpose of "Coexistence between Version 1, Version 2, and Version 
3 of the Internet-standard Network Management Framework" is to 
describe coexistence between the SNMPv3 Management Framework, the 
SNMPv2 Management Framework, and the original SNMPvl Management 
Framework. In particular, this document describes four aspects of 
coexistence: 


* Conversion of MIB documents from SMIv1l to SMIv2 format 

* Mapping of notification parameters 

* Approaches to coexistence between entities which support 
the various versions of SNMP in a multi-lingual network, in 
particular the processing of protocol operations in 


multi-lingual implementations, as well as behavior of 
proxy implementations 
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* The SNMPvl Message Processing Model and Community-Based 
Security Model, which provides mechanisms for adapting 
SNMPv1 and SNMPv2c into the View-Based Access Control Model 
(VACM) [19] 


8 Security Considerations 


As this document is primarily a roadmap document, it introduces no 
new security considerations. The reader is referred to the relevant 
sections of each of the referenced documents for information about 
security considerations. 
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